AIKIDO-2026-740447
wasmtime-wasi is vulnerable to Resource Leak
23
Low Risk
This Affects:
wasmtime-wasiTL;DR
Wasmtime's native implementation of WASIp1 suffers from a leak in the fd_renumber function where the file descriptor being renumbered to is not properly closed. Wasmtime's implementation erroneously only updated the table of descriptors for WASIp1 and didn't update the underlying table of descriptors used by the host. This behavior means that while fd_renumber works correctly from a guest's perspective it ends up leaking resources in the host that aren't cleaned up until the corresponding Store is destroyed. This means that guests can, in a loop, use fd_renumber to cause hosts to exhaust resources or exhaust file descriptors.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range and if your runtime exposes the fd_renumber module with file access enabled.
Background info
wasmtime-wasi is vulnerable to Resource Leak in versions 0.0.0 - 24.0.9, 25.0.0 - 36.0.10, 37.0.0 - 44.0.2 and 45.0.0 - 45.0.1.
How to fix this
Upgrade the wasmtime-wasi library to the patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant